Upon execution, this malware will infect and create a malware copy to available removable, fixed and remote drives. It then creates its autorun regsitry entry in :

HKEY_CURRENT_USERSoftWareMicrosoftWindows NTCurrentVersionWindowsLoad

As a way to infect more files and enable its execution further, it modifies the file association of the following file types to execute the malware first:

• txt
• reg
• chm
• hlp

Using the System and Hidden file properties, it aims to hide from the user by setting the registry to disable viewing of files with Hidden and System attributes.

It will then search for hta, htm, html, asp and vbs files whose file size is less than 350000 Bytes to infect in removable, fixed and remote drives. As part of the malware's restrictions in terms of infection, the malware will infect no more than 1000 files that is found on single execution.

For payload, It will check the filename and if it contains predefined strings supposedly related to adult videos, it will delete the file.The file formats are as below:

• mpg
• rmvb
• avi and
• rm

It will also monitor and ensure that the following processes are terminated :

• "ras.exe"
• "360tray.exe"
• "taskmgr.exe"
• "cmd.exe"
• "cmd.com"
• "regedit.exe"
• "regedit.scr"
• "regedit.pif"
• "regedit.com"
• "msconfig.exe"
• "SREng.exe"
• "USBAntiVir.exe"

One thing worth mentioning, is that depending on the parameters, the malware is capable of removing all system modifications and deleting all its copies. It can also disinfect all infected files accessible in the system.

Last update 28 December 2007

 

TOP